Dr. Marc Störing, an IT and Data Partner at Osborne Clarke, has recently produced a report for the FIA (The Federation Internationale de L’Automobile) which looks at whether car data from connected and autonomous vehicles constitutes ‘personal data’ and whether product liability legislation allows Original Equipment Manufacturers (OEMs) to exclusively collect and process such data.
Being specialists in the transport and automotive sectors, with a focus on technology, Osborne Clarke frequently advises on connected and autonomous vehicles (CAVS). This specialist sector knowledge, together with our data protection legal expertise, allows us to provide valuable insights on this topic.
Dr Marc Störing comments:
“As modern vehicles get more connected, the benefits derived from data exchange between manufacturers, suppliers and third party service providers, as well as other stakeholders of the aftermarket, are endless. But the legal position on data in connected vehicles and associated liability laws remains a complex area to navigate. This paper, produced specifically for the FIA, seeks to provide clarity on the legal position of data protection supervisory authorities, taking into account literature and current case law, as well as the position of various European automotive industry associations.”
The report, titled ‘What EU legislation says about car data?’ forms part of the FIA’s #MyCarMyData campaign.
What does the report cover?
1. Data in connected vehicles under current and future European privacy law
- The report explores two different approaches, one set out by European automotive industry associations (the mutual exclusion theory) and the other being the opinion of the European Commission (EC) (theory of combined qualification), on whether vehicle generated data can be catergorised exclusively as ‘technical data’ or whether it could qualify as a combination of ‘personal’ and ‘technical’ data. The report seeks to address the correct approach looking at relevant legislation and literature.
- What qualifies as ‘personal’ data: the report looks at a relative approach (considering only the company controlling the data, i.e. the data controller) vs. an absolute approach (which encapsulates the capabilities of almost everyone involved, including the individual and the company) looking at the Data Protection Directive and GDPR.
- The definition of ‘personal data’ as set out in case C-582/14 by the European Court of Justice (ECJ) and how it relates to connected vehicles and OEM’s.
- The issue of anonymised data and when it qualifies as ‘personal’ data.
- The data controller (the person responsible for processing the data): the report explores the different definitions and meaning of ‘data controller’ under the German and English version of the Data Protection Directive, together with GDPR.
2. Mitigating ‘lock-in’ effects
- The report explores how Article 20 of GDPR (the right of portability) tries to mitigate the effects of company data monopolisation to stamp out anti-competitive processes and allow customers to freely dispose of their data. This right to portability allows the data subject to grant permission to third parties for the transfer of data from connected vehicles, thus allowing the sharing of data between different ‘data controllers’.
- The definition of what data is considered ‘provided’ by the customer: the report looks at both a narrow interpretation (i.e. data provided by the customer to controllers under a contract) and an extensive interpretation (i.e. portable data) of what data is ‘provided’ by the customer. Furthermore, it explores which definition fits well when looking at data from connected vehicles.
- The limitations of Article 20’s ‘right to portability’ of data are also discussed in this report: e.g. its exclusion of anonymous data, data unrelated to the data subject, data relating to other drivers and passengers (other than the vehicle keeper) in relation to connected vehicles.
3. OEM liability vs. individual rights
- The report looks at the extent to which OEM’s can process data to fulfil:
– product monitoring obligations under the Product Liability Directive; and
– obligations under The European Product Safety Directive, which encompasses ex ante obligations (obligations before the product was made available on the market, e.g. checking for product risks) and ‘after-market’ obligations (e.g. the carrying out of sample testing of products, investigating and keeping a register of complaints), while at the same time looking at individuals’ rights to data privacy, as the customer has to give consent for the processing of his/her data.
- The principle of ‘necessary’ data: the report looks at the fact that data should only be processed by the ‘data controller’ if it is ‘necessary’ to fulfil the intended purpose, e.g. to fulfil statutory monitoring obligations.
The FIA’s primary goal is to secure mobility that is safe, affordable, sustainable and efficient. The My Car My Data campaign believes that drivers should be the ones deciding if vehicle data should be shared and with whom as cars are equipped with sensors, localisation and communication devices. Visit here to find out more.